BadNews is bad news for Android users

It’s no secret that the authors of malicious software are increasingly attacking the Android mobile platform. Its open nature, along with the ability of users to download software outside of curated app stores, and its large, global installed base make for a juicy target.

These cyberscum are also getting more creative. Last week, a company that makes mobile security software warned about BadNews, a new scheme for delivering Android malware through what appears to be an advertising network. Lookout said it had discovered the code in 32 different apps that had been downloaded millions of time from the Google Play store.

Writing in Lookout’s blog, principal security researcher Marc Rogers said the ad network approach was used to get past Google Play’s checks for malware. It’s designed to deliver malware on a delayed basis, so initial checks for known threats aren’t easily detected. (Google has since removed from the Play Store all the apps that contained the malicious ad network, Rogers writes.)

So how bad is BadNews? Pretty bad:

BadNews has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server. BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps.

Rogers points out that the appearance of this kind of malware creates challenges for developers, who often rely on third-party components to provide advertising to help pay for their apps. Pick a network that’s not been well vetted, and you could end up delivering malware to your users.

There are some caveats to Lookout’s report. First, most of the apps were largely aimed at Russian and Eastern European users, though 10 were English-language apps.

Also, the exact extent of the apps’ distribution isn’t clear from Lookout’s reports. Lookout says the apps were downloaded between approximately 2 million and 9 millions times, which is a huge range. Still, the most popular app, based on the chart below, appears to be an English-language game called Savage Knife.

Savage Knife is no longer available on Google Play, but based on Google search results, it had decent reviews, with a 4.5-star rating.

And while Savage Knife is gone from the Play Store, it’s still available on other app stores, easily found with a Web search. It’s still out there, and chances are people are still downloading it and installing it.

Rogers points out that it’s unclear whether all 32 apps were created to disseminate BadNews, or whether some are applications in which developers unwittingly included the malicious ad network. That’s the real threat of BadNews – it’s essentially a proof-of-concept for a new method of distributing mobile malware, and one that apparently works all too well.